Download the most comprehensive free cybersecurity and data privacy metaframework available. A Living Control Set (LCS) continuously updated by volunteer experts, available in Excel and JSON formats.
The SCF download is not just a controls list. It is a complete GRC toolkit built by volunteer cybersecurity and data privacy experts that is released free under Creative Commons licensing.
A single download gives you the full 1,400+ control catalog, all 200+ framework mapping tabs, SCR-CMM maturity criteria for every control, proposed risk weightings, MCR/DSR classification, risk and threat catalog crosswalks, and Assessment Objective (AO) guidance. Everything needed to build and assess a cybersecurity program from any starting point.
The SCF is the basis for your organization's Living Control Set (LCS). The SCF is updated on a quarterly basis to include changes whenever a new law is enacted, a framework releases a new version, or an emerging threat demands new controls.
Volunteer-Driven. Creative Commons Licensed. All SCF content is developed by volunteer cybersecurity practitioners, including CISOs, auditors, GRC specialists, privacy experts, and engineers, and released at no cost under Creative Commons Attribution-NoDerivatives 4.0 International.
Fill out the short form to access the full SCF download. No account required, just basic contact info so we can keep you informed about new releases.
Prefer to skip the form? The full SCF is always available on GitHub with no registration or login required. The form is optional but helps us understand adoption and improve the framework.
We use this information to understand how the SCF is used worldwide and to notify you when new versions are released.
Every format contains the same complete SCF control catalog. Choose based on how you plan to use the data.
The primary SCF download. The full control catalog with all framework mapping tabs, maturity criteria, risk catalog, and threat catalog in a single multi-tab workbook.
Machine-readable Open Security Controls Assessment Language, the NIST standard for structured control data, enabling automated compliance workflows and OSCAL-native tool integration.
The SCF download is a complete GRC toolkit, far more than a control catalog. Here is everything inside every download.
The core of the SCF. Controls organized across 33 domains. Every control includes a unique identifier, objective statement, plain-language description, and purpose statement aligned to the domain principle.
Every SCF control is mapped to all applicable laws, regulations, and industry frameworks using the transparent NIST IR 8477 STRM methodology. Directional mappings show whether SCF covers, partially covers, or exceeds each external requirement.
Five-level maturity criteria (Ad Hoc through Optimized) for every SCF control, built directly into the spreadsheet so organizations can immediately score their current control maturity.
Risk-based weighting for every control, essential for prioritizing remediation, allocating resources, and producing defensible risk scores for board-level reporting.
Every control is classified as a Minimum Compliance Requirement (MCR), meaning externally mandated, or a Discretionary Security Requirement (DSR), meaning risk-based and internally driven.
Risks are mapped to the SCF controls that mitigate them, enabling risk-informed control selection and residual risk analysis when controls are partially implemented.
Threats are mapped to the SCF controls that address them, enabling threat-informed defense and right-sizing security investment based on the actual threat landscape.
Examiner guidance per control provides the criteria used to evaluate whether a control is effectively implemented. This removes ambiguity from both self-assessments and third-party audits.
The SCF is utilized by many leading GRC platforms worldwide. Import the full 1,400+ control catalog with all mappings via .CSV or JSON (NIST OSCAL formatted) in minutes, not months.
Unlike proprietary frameworks that lock you into a single vendor ecosystem, the SCF uses open, standardized formats. Your control data is yours, portable, exportable, and not dependent on any single tool vendor.
The SCF is more than a download. It is a living community of cybersecurity and GRC practitioners. Get the latest version on GitHub, ask questions in Discord, or support the mission with a donation.
The SCF is hosted on GitHub, the canonical source for all downloads. No account required. Watch the repository to be automatically notified when a new version of the Living Control Set is published.
Connect with thousands of cybersecurity and GRC practitioners in the SCF community Discord. Ask questions, share your experience, discuss emerging regulations, and stay up to date on releases.
The SCF is built and maintained entirely by volunteers and funded through donations. If the SCF has saved your organization time, money, or compliance headaches, please consider donating.
%20(white).png)
.png)